Finally, a workable approach to web Single Sign On

In the last 20 years, practically all the large software vendors came out with Single-Sign-On (previously “PKI”) products that were supposed to give a single login that would give you access to all the resources on the network. As good as this idea sounds, in practice that almost never works. Why Single Sign On constantly fails in corporate environments is a mystery wrapped in an Enigma. But it just doesn’t.

On the web, it seems even more logical that a single login will give you access to all the resources, and yet the situation is even worse. Microsoft, google, yahoo, AOL, and now facebook have all tried their Single Sign On initiatives that ended up having users signing up to 4-5 different ‘single sign on’ services and typically just opting for the only single sign on method that works: Using the same username and password everywhere.

Before you ask, OpenID is not a single sign on solution – it’s an identification service. So with that out of the way, are we doomed to never have a workable option to web single sign on?

Well, it seems the solution was always there: in fact, most of us have been using it for a while. Your browser.

Done well, the browser can keep the username/password combination in a secure place, protected by a single password and encrypted on your hard drive. The only risk is a Trojan using your browser to log into web sites without your knowledge – but that’s a risk you have today with keylogger rootkits, so you are not worse off letting your browser save the password for you.

The only two challenges facing the browsers to truly provide an SSO experience were web sites like paypal that refused to let the browser save username/password information (though you could bypass that restriction with bookmarklets such as “Password Saver” on firefox) and the second challenge was just the convenience of needing to login instead of having the browser login for you, as you’d expect in a “real” SSO.

It seems that firefox has picked up the glove. In a recent blog post ( firefox announced an add on that will handle account management; likely not much different than what is done today, perhaps a bit more extended and automated. Facebook, google and some others won’t be happy about this move, but who cares. The best thing about this method of SSO is that you don’t need the site’s cooperation for it to work. In fact, as long as they don’t actively resist (e.g. by adding CAPTCHA’s) firefox can be the de-facto standard for account management in the not-too-far future.


Privacy via lawsuit (vs security)

Interesting story about collecting data from Facebook.  I wonder if he would have had the same trouble if he had written the utility as a Facebook app, since apps are able to access all data from any user that runs them.  Maybe he could talk to the Farmville people, and collect everthing on pretty much every Facebook user.

All kinds of intriguing questions arise:

Has Facebook threatened to sue Google?  If they did, who has the bigger legal budget?

With all the embarrassing leaks, why doesn’t Facebook simply do some decent security, and set proper permissions?  (Oh, sorry.  I guess that’s a pretty stupid question.)

Does the legal concept of “community standards” apply to assumed technical standards such as robots.txt?  If nobody tests it in court, does any large corporation with a large legal budget get to rewrite the RFCs?

If you don’t get noticed, is it OK?  Does this mean that the blackhats, who try hard to stay undetected, are legally OK, and it’s only people who are working for the common good who are in trouble?


Linux Kernel Bashing

This summer may have caused a few burden’s on linux administrators. By all the patching necessary to keep their systems out of the hands of those who would choose to exploit it, unless your using something like Ksplice, you’ve more than likely rebooted many times already. Well, here is one more reason to wake this early this morning…

New exploits for the “Linux NULL pointer dereference due to incorrect proto_ops initializations” vulnerability have been released, here and here. I just tried the second one out myself on a (currently) fully updated Ubuntu Jaunty workstation, with (_default_) successful results.

linux@ubuntu:~/2009-proto_ops$ sh
run.c: In function ‘main’:
run.c:13: warning: missing sentinel in function call
padlina z lublina!
# id
uid=0(root) gid=0(root) groups=4(adm),20(dialout),24(cdrom),46(plugdev)
# exit

A reliable local root exploit for that affects all linux kernels 2.x. Feels like 2003 all over again :X


Offensive-Security WPA Rainbow Tables

The guys over at Offensive Security have released a 49 Million WPA optimised password dictionary file, the torrents are up at this link here.

If you download it though, please keep the torrents seeding for a while to help others out.

Have fun cracking!


C-level execs ignorant of Web 2.0 dangers

According to ITWorldCanada, C-level executives are pushing for greater access to social networking sites and facilities, while even IT managers and security specialists are unprepared to deal with the full range of risks from this type of activity.

In order to get some traction with senior management on this issue, you might want to remind them that, when they take off with funds they’ve obtained via fraud, it’s best not to post boasts on Facebook.


DJBDNS Security Broken

According to this thread, DJBDNS’s security has officially been broken. A patch is available and the reward for the bug by Mr. Bernstein will be awarded to Matthew Dempsky. Quoting from the thread:

“If the administrator of publishes the DNS data through tinydns and axfrdns, and includes data for transferred from an untrusted third party, then that third party can control cache entries for, not just This is the result of a bug in djbdns pointed out by Matthew Dempsky. (In short, axfrdns compresses some outgoing DNS packets incorrectly.)

Even though this bug affects very few users, it is a violation of the expected security policy in a reasonable situation, so it is a security hole in djbdns. Third-party DNS service is discouraged in the djbdns documentation but is nevertheless supported. Dempsky is hereby awarded $1000.

The next release of djbdns will be backed by a new security guarantee. In the meantime, if any users are in the situation described above, those users are advised to apply Dempsky’s patch and requested to accept my apologies. The patch is also recommended for other users; it corrects the bug without any side effects. A copy of the patch appears below.

—D. J. Bernstein

Research Professor, Computer Science, University of Illinois at Chicago”

I still believe Georgi Guninski’s bug was enough for a reward, but oh well. I wonder what the “new security guarentee” will be, anyway.


The Internet Almost Crashed!

Yeah, it is true. I guess some programming errors are more serious than others, so lets give these guys a break: I also suppose the dark clouds gathered for all the recent DDoS characters, too.


Kaspersky Injected

Kaspersky’s USA website was hacked by SQL injection. Maybe they should hire some virus writers to secure their website, or better yet, a good penetration testing team.

Grab more details about the incident here.


Exploits of the Week #2

barracuda spam firewall

Internet Explorer 7 XML Buffer Overflow ‘All-In-One’ Exploit


MS SQL Server Heap Overflow Exploit

Guido Landi

Barracuda Spam Firewall SQL Injection

Marian Ventuneac

CUPS pstopdf Filter Local Exploit

Jon Oberheide

Coolplayer Local Buffer Overflow Exploit



Snoop on Google Talk (Wiretap)

Yes snooping on someone else’s GoogleTalk is no big deal if you know their password, but what is interesting that unlike other chat clients like Skype, MSN and others GoogleTalk will allow you to do so simultaneously.

You can connect to the GoogleTalk server while another user using the same username and password is also connected to the GoogleTalk server.

This neat feature, probably stems from the fact that Google supports web based chat in a constantly refreshing web page (unlike MSN which launches a separate window) allows you to see incoming responses and messages being sent to your target without needing to do anything.

BTW Google, don’t fix this, I find it useful for my BlackBerry and PC chat sharing – basically never needing to logon/logoff on my PC/BlackBerry they are both constantly connected to the Google Talk servers.

UPDATE This post is not related to the recently released NSA patent on Snoop detection :D


SPAMing as a Full Time Job?

no spam
I’ve been noticing that most of the spam I get (and nearly all that gets through the filters) arrives during the week, not the weekends. Actually, looking at my spam box, it looks like I receive around twice as much on week days than weekend days.

My point being, and I sure there are some good answers: Is spamming a full time job for a lot of spammers, or even a 40 hour a week job? I’d have to say for at least the dedicated ones, it probably is. Or, do they just figure more people check their mail on the weekdays?

Either way, spam sucks.


Metasploit’s Decloak, v2


Metasploit Decloak in back online. Decloak (v2) now identifies the real IP access of a user using a slick combo of “client-side technologies and custom services”. v2 also works regardless of the user’s proxy settings. The only public technology that it cannot get through is a PROPERLY CONFIGURED Tor+Torbutton+Privoxy setup, HDM mentions.

You can read more about it and if you haven’t already, give it a whirl.


Everything new is old again – Web 2.0

Or, social networking, if you prefer.

Let’s face it, the net is social.  The money that went into creating computer networks, and the Internet itself, may have been intended for specific purposes, but as soon it it was there people, being people, were being social.

As soon as the Internet was out of the test-bed (and probably before that), and even before it was known as the Internet, people were using email.  A lot.  For social things.  What are the longest running Usenet “news”groups, and mailing lists of any types?  Lists of jokes and discussions of science fiction.  Social stuff.  (Yeah, the sf geeks are pretty antisocial, by “normal” standards, but for them this stuff is the ultimate in sociability.)

So, what’s new?  Oh, “social” networks have the users generate content?  What do you think mailing lists are?  OK, blogs make it a bit easier to search archives.  But archives of mailing lists have been around for a while, too.  (And this “easier” stuff is highly subjective.  Some blogs can be pretty difficult to plow through in order to find content of interest.)

And what about the Internet itself?  It’s the last word in user created content.  The protocols and programs that run the net were primarily created by individual users, seeing something they wanted to do, and writing something that would do it.  As Dave Clark famously put it, “We believe in: rough consensus and running code.”
Works pretty good, doesn’t it?


Not Microsoft’s Online Lottery


This was just too funny not to share. Read carefully and draw your own conclusions, haha.

date    Wed, Dec 17, 2008 at 10:23 AM

hide details 10:23 AM (3 hours ago)


Redmond, WA 98052.
Ref: BTD/968/08
Batch: 409978E

This is to inform you that your email has won a consolation prize
of the Microsoft Corporation 2008 EMAIL DRAW.Your email has won
(£500,000.00)&(Great British Pounds)of the microsoft onlinelottery
promotion Your email address as indicated was drawn and attached to
ticket number 008795727498 with serial numbers BTD/9080648302/08 and
drew the lucky numbers 14-21-25-39-40-47(20)To file for your claims,you
are to contact your designated claims agent
Mr.mike robinson of this

Full Names——————-
Contact Address————–
Telephone numbers————
Microsoft Fiduciary Agent
MR Harry peterson


Phone fraud

A not-uncommon phone fraud story from the CBC.  However, I keep telling people:

a) We don’t know enough about phone systems, and unlike most of the breaches we deal with phone fraud costs you real money, right now.

b) When you get hit and take the story to the telcos, the telcos, very profoundly, don’t care.


Useless SPAM


This junk keeps slipping through gmail’s spam filters and the best I can say about it is ‘useless’.

Anybody else been getting this kind of crap lately?

to    [0][x][j][b][r][o][w][n][4][1]
date    Mon, Dec 15, 2008 at 4:02 PM
subject    Christoph Schell/Kerpen/GECITS-EU is out of the office.

I will be out of the office starting  11.12.2008 and will not return until

I will respond to your message when I return or contact Michael Menen

COMPUTACENTER PLC is registered in England and Wales with the registered number 03110569.  Its registered office is at Hatfield Business Park, Hatfield Avenue, Hatfield, Hertfordshire AL10 9TW
COMPUTACENTER (UK) Limited is registered in England and Wales with the registered number 01584718.  Its registered office is at Hatfield Business Park, Hatfield Avenue, Hatfield, Hertfordshire AL10 9TW

The contents of this email are intended for the named addressee only.
It contains information which may be confidential and which may also be privileged.
Unless you are the named addressee (or authorised to receive mail for the addressee) you may not copy or use it, or disclose it to anyone else.

If you receive it in error please notify us immediately and then destroy it.

Computacenter information is available from:


I usually get 5-10 of these about once a month, all in the same hour or two.The most ‘useless’ part about it is that it doesn’t affect me, at all, in any way, neither personally or work related.